More malware found hosted in Google’s official Android market

Security researchers have found more malware hosted in Google's Android marketplace, the Google Play Store, a discovery that once again demonstrates the limitations of a recently deployed scanning service designed to flag malicious apps before they can be downloaded by end users.

Android.Dropdialer, a trojan that racks up costly charges from forced calls made to premium phone numbers, was found in two separate titles that weren't caught for weeks, according to a blog post published Tuesday by Irfan Asrar, a researcher with antivirus provider Symantec. "Super Mario Bros." and "GTA 3 Moscow City," as the malicious apps were packaged, generated as many as 100,000 downloads, although Asrar didn't say if that figure was for each separate title or in aggregate.

"What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered," Asrar wrote. "Our suspicion is that this was probably due to the remote payload employed by this Trojan."

In a blog post published last year, Asrar explained how breaking up a malicious app into separate, staged payloads prevented automated screening processes from detecting the malware. The idea behind the technique is that rather than including all the malicious code in a single file, attackers break it up into separate modules that are delivered independently. In the case of Android.Dropdialer, the first stage was posted on Google Play (formerly known as the Android Market) and once installed it would download additional packages.

The post appears to say that victims of this malware were at some point still presented with a list of permissions that included "services that cost you money," which would mean that end users who fell prey to this threat shoulder much of the responsibility. But considering the malicious titles were hosted on Google's own servers, it seems the company should also share some of the blame. In February, the search giant unveiled Bouncer, a cloud-based malware scanner. Since then, researchers have independently discovered abusive apps in Google Play on at least two other occasions. Researchers also found malware hosted in the Google Chrome Web store.

And this is why apple doesn't allow remote data to be downloaded after the fact. Sucks for browsers but it helps.

You're a little off. Your app can't execute user supplied code. I've worked on games using an engine with a built in scripting language, where those scripts were added in extra downloaded data.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

There's a fundamental problem with the way Android's install works. Sure you can blame the user for not noticing the permission list, but there's also a very well understood security hole that the dialog does not solve. In fact, that dialog is the cause of the loophole. It's called Dancing Pigs and the fundamental problem is, given a choice between dancing animals and security, a user will pick dancing animals almost every time.

That permissions list is basically getting in the way of the user and few people will read it. In fact, since ICS, it's gotten HARDER to read the list - it used to be that the "install" button was at the bottom of the list, now it's at the very top, making it stupidly easy to skip.

Yup. "Services that cost you money" could just mean the ability to directly send an SMS message, which if you have an unlimited plan doesn't cost you money. Basically to do anything interesting or useful it seems like an app will often need permissions that could easily be used for malicious purposes as well. A 3rd party map/gps app will require fine location and full network access, for instance...but that also could easily allow for tracking users without their knowledge.

76 Reader Comments

I read articles like this and think, "There's people who want to abuse my trust to take advantage of me? Oh yeah we learned that years ago." This is not anyone's first rodeo, people need to begin taking more personal responsibility for malware prevention. While a company providing a market for apps has a level of responsibility for weeding out harmful products users need to stop being so lax in their personal security. Three easy steps to better security: 1. Read the permissions page. 2. Don't let your kids download alone 3. If it sounds like you're getting scammed, you are.

I haven't had malware on any system in...years. I doubt a person who follows best practices on any OS, mobile or PC, will be hit often, if at all. So yes, saying "the users are the problem" is factually correct. But, since uneducated users are a given, an OS vendor has to take them into account when designing security. So for all those unclean masses that nerd rail about, a system that protects them against themselves is better than one that lets them make mistakes.

I'm not saying that iOS is "better" than Android. I'm not saying it's perfect, either. But there is an extra layer of protection in between bad code and the end-user, which, for the average person, is a good thing. Now, real security DOES lie in user behavior, but it's ridiculous not to hold the OS vendor responsible, in part, because they KNOW how people act. Google needs to do something, because as it stands, they're letting Apple (and Microsoft) potentially use that against them, just as Apple did to Microsoft.

I use Android as well as iOS, and I've had zero malware with either, but if my folks wanted a new phone and wanted it secure, I'd probably recommend iOS because it restricts their ability to make mistakes. Maybe not good for nerds, but a lot better for people who have more important things in their lives than figuring out their devices.

Would it be complete anathema to have some kind of market that was midway between the two? Perhaps some kind of review and/or vetting process for apps by an official board or group? No app would be denied a place in the market, but the customers would have some kind of at least semi-accurate rating as to the app's utility or safety?

I really don't have any exposure to the Android app market; all of my experience so far has been with the Apple app store. Is there any kind of rating system already in place? How effective is it? Do people pay any attention to the ratings or just go ahead and take a chance on new apps?

How about you check how many versions of your "fart app" are available before you purchase itm to find out if it "maybe" has malware??? It's called "common sense." Either you subscribe to it, or you are one of the mindless masses. Caveat Emptor.

Hostile much?

I think you're replying to the wrong person. I didn't say anything about "fart apps." You also appear to be committing the usual error of the technically-adept in assuming that the average person has the same or better level of technical know-how as you think you do. "Common sense" is usually bandied about by the arrogant and impatient. If it was truly common it wouldn't be an issue, now would it?

The problem with having a completely curated application store is that it is a huge enabler of carrier and handset manufacturer fuckery.

I would rather have 50K-100K people being complete fools and downloading dancing pigs that copy their credit card information than have fuckery, if it comes down to having to make that choice.

I mean, there's another way around this. Google could run an Apple App Store-like application market, but also mandate that all carriers and manufacturers have to allow outside application installs by some obscure terminal-enabled method or something like that as part of the Google Play Store license.

Result: Much less malware getting to end users, because there are only so many hoops the dumbasses are willing to jump through, but freedom is still preserved.

There's a fundamental problem with the way Android's install works. Sure you can blame the user for not noticing the permission list, but there's also a very well understood security hole that the dialog does not solve. In fact, that dialog is the cause of the loophole. It's called Dancing Pigs and the fundamental problem is, given a choice between dancing animals and security, a user will pick dancing animals almost every time.

That permissions list is basically getting in the way of the user and few people will read it. In fact, since ICS, it's gotten HARDER to read the list - it used to be that the "install" button was at the bottom of the list, now it's at the very top, making it stupidly easy to skip.

Yup. "Services that cost you money" could just mean the ability to directly send an SMS message, which if you have an unlimited plan doesn't cost you money. Basically to do anything interesting or useful it seems like an app will often need permissions that could easily be used for malicious purposes as well. A 3rd party map/gps app will require fine location and full network access, for instance...but that also could easily allow for tracking users without their knowledge.

I'd rather have some obvious malware on the market than have all my apps subject to Apple's every whim. Seriously, that's a tiny price to pay. Besides, a lot of the apps that I rely on simply do not have iPhone equivalents without jailbreaking (SwiftKey for example).

And when Android goes the way of desktop Linux market share and you get even less of the quality software than you do now, you'll have this kind of thinking to blame; "I'm a geek so I can protect myself--F*** the masses that basically support the platform and keep it relevant."

Both of these seem to also be obviously violating trademarks, it seems surprising to me that no one caught that issue right away.

It's not like Google cares much about copyright/IP issues in any of their other business lines (books, YouTube, news, etc.). Why would they start caring in Google Play? Their goal is to just offer as much content as cheaply as possible.

I'd rather have some obvious malware on the market than have all my apps subject to Apple's every whim. Seriously, that's a tiny price to pay. Besides, a lot of the apps that I rely on simply do not have iPhone equivalents without jailbreaking (SwiftKey for example).

And when Android goes the way of desktop Linux market share and you get even less of the quality software than you do now, you'll have this kind of thinking to blame; "I'm a geek so I can protect myself--F*** the masses that basically support the platform and keep it relevant."

Exactly this.

Android didn't take off because it was a nerd-friendly, "fully open" OS. It took off because all those hardware manufacturers were frantically clamouring for a smartphone OS to respond to iPhone with, and, with great timing, Google said "Oh, hey, we've got this. You can have it for free."

If things had gone slightly differently, like Microsoft having their shit together (right), Android would be a niche OS, much like Linux on the desktop, used mainly by condescending geeks.

There's a fundamental problem with the way Android's install works. Sure you can blame the user for not noticing the permission list, but there's also a very well understood security hole that the dialog does not solve. In fact, that dialog is the cause of the loophole. It's called Dancing Pigs and the fundamental problem is, given a choice between dancing animals and security, a user will pick dancing animals almost every time.

That permissions list is basically getting in the way of the user and few people will read it. In fact, since ICS, it's gotten HARDER to read the list - it used to be that the "install" button was at the bottom of the list, now it's at the very top, making it stupidly easy to skip.

Yup. "Services that cost you money" could just mean the ability to directly send an SMS message, which if you have an unlimited plan doesn't cost you money. Basically to do anything interesting or useful it seems like an app will often need permissions that could easily be used for malicious purposes as well. A 3rd party map/gps app will require fine location and full network access, for instance...but that also could easily allow for tracking users without their knowledge.

Right, but one should rightly wonder why a wallpaper app or a simple game would require "Services that cost you money". It would make sense for a dialer app or a SMS app or the like, but for a game? That should raise eyebrows, if people were reading it in the first place.

Android already presents the user with an easy to read bullet-point list of the requested permissions, and scans submitted apps for known malware; it's difficult to understand what else they can do without walling off the garden. And absence of walled gardens is precisely why I, for one, went with Android in the first place.

Aren't you a little off? You can download data-- images, text files, etc.-- after the app has been installed but you cannot download executable data-- new code-- after the app has been installed.

That is why all new versions of apps (new code) must be downloaded from the App Store, apps cannot update themselves.

Cryolithic wrote:

sprockkets wrote:

And this is why apple doesn't allow remote data to be downloaded after the fact. Sucks for browsers but it helps.

You're a little off. Your app can't execute user supplied code. I've worked on games using an engine with a built in scripting language, where those scripts were added in extra downloaded data.

While something like this is easier to pull off in the Android store by it's nature, there's nothing stopping me from writing a flashlight app for ios that downloads new code after it his market and steals your datas.

Most people here assume that phone users are smart and know the app market but they are wrong a lot of these phones are being bought for or by kids. They see super mario brothers or whatever and just go for it. They have no idea about malware etc. The next thing they know thier credit is zero, then they top up the phone and the cycle continues. Google should do more to protect these users.

While the majority of phone users are not security conscious, that does not mean they are children. Those two classifications are not mutually exclusive, and I would argue that the average smartphone-using child is aware of the existence of malware, even if they are not aware of its scope. Even if we assume they are not aware, as you do, ANY digital market involves a degree of Caveat Emptor. Regardless of whether the risk is malware or simply being ripped off, the buyer is ultimately responsible for their actions.

Another point I'd like to make is that in the cases of children using smartphones, the parents are almost always paying for the device, and it is their responsibility to parent their children. They should not expect Google, Apple, or anyone else to protect their children when they fail to take basic security precautions.

I think you're lost. This is Ars Technica. If you want to use the "think of the children" argument, try foxnews.com or yahoo.

I think you're lost. This is Ars Technica. If you want to use the "think of the children" argument, try foxnews.com or yahoo.

Oh, well it's good you're around to let us know who the true Scotsman Arsians are.

In the end, yes, there's a small degree of caveat emptor that owners should have, but geeks seem to think that this is some special province. How many people do all of their own plumbing? How many people do all of their own electrical work? Their own carpentry? How many people can actually disassemble their own carburetor if it's having issues? Heck, how many people here even change their own oil and filters?

It's really easy for a mechanic to laugh at how little people know about their cars, and for a plumber to laugh at how little people know about plumbing, but the fact of the matter is that most people could learn about it, but they'd rather be doing something else. If a mechanic rips someone off, do you blame the mechanic, or the victim? That's the problem, there's this massive disdain amongst geeks for those who don't know about technology, but there's massive disdain in lots of professions for the people who don't know about those things, because people like to assume that the skills they have are somehow more relevant or important. I love technology, but that doesn't mean that everyone else should. If you're not willing to spend your free time learning how to set your own engine timing, why should anyone else bother to know more than what they need to about technology?

How much do you know about the law? Honestly, could you right a brief on your own behalf if necessary? No is the answer for most people--a lawyer is going to know more. Sure, you should know a little bit, but if you had a bunch of lawyers in a forum together all talking about law as though every person in the country should know what they know, you'd call them pretentious pricks (and you'd be right). Yes, we should try to educate people on security, yes we should try to have some basic principles in mind. But you know what? Most people use their homes, their cars, their electricity, their water and the laws of their country on a daily basis. Why should they have to live up to some arbitrary level of knowledge to satisfy a bunch of self-righteous geeks, instead of being able to shingle their own roof, or fix their own car?

Unless you do everything yourself, you're in no position to judge others for needing help with what comes naturally to you because of your job/hobby.

I think you're lost. This is Ars Technica. If you want to use the "think of the children" argument, try foxnews.com or yahoo.

Oh, well it's good you're around to let us know who the true Scotsman Arsians are.

In the end, yes, there's a small degree of caveat emptor that owners should have, but geeks seem to think that this is some special province. How many people do all of their own plumbing? How many people do all of their own electrical work? Their own carpentry? How many people can actually disassemble their own carburetor if it's having issues? Heck, how many people here even change their own oil and filters?

It's really easy for a mechanic to laugh at how little people know about their cars, and for a plumber to laugh at how little people know about plumbing, but the fact of the matter is that most people could learn about it, but they'd rather be doing something else. If a mechanic rips someone off, do you blame the mechanic, or the victim? That's the problem, there's this massive disdain amongst geeks for those who don't know about technology, but there's massive disdain in lots of professions for the people who don't know about those things, because people like to assume that the skills they have are somehow more relevant or important. I love technology, but that doesn't mean that everyone else should. If you're not willing to spend your free time learning how to set your own engine timing, why should anyone else bother to know more than what they need to about technology?

How much do you know about the law? Honestly, could you right a brief on your own behalf if necessary? No is the answer for most people--a lawyer is going to know more. Sure, you should know a little bit, but if you had a bunch of lawyers in a forum together all talking about law as though every person in the country should know what they know, you'd call them pretentious pricks (and you'd be right). Yes, we should try to educate people on security, yes we should try to have some basic principles in mind. But you know what? Most people use their homes, their cars, their electricity, their water and the laws of their country on a daily basis. Why should they have to live up to some arbitrary level of knowledge to satisfy a bunch of self-righteous geeks, instead of being able to shingle their own roof, or fix their own car?

Unless you do everything yourself, you're in no position to judge others for needing help with what comes naturally to you because of your job/hobby.

Very well-said. Thank you. I'm usually leery of analogies but you've really come up with a good set of examples that put the unfortunate attitude of some technically-inclined people in perspective. I, personally, tend to stay away from mechanical things ... they tend to break if I look at them funny. My mechanic fixes my car and I help him with his computer and phone network problems. Neither one of us disdains the other for the areas of expertise we have and do not have. Works out nicely!

It's not unreasonable to have the majority of people expect to be able to purchase an app from a store without having to worry too much about the safety of it.

You know what, there is malware you can download onto your computer using those free software and free video game webpages (double points if they are hosted on a .ru domain). I appreciate Google removing these when they find them, but I also don't expect everything to be safe right off the bat. Perhaps I'm just paranoid. I don't install anything that doesn't have a good track record already, should already have lots of good reviews, be put out by a valid company or at least by a company that has been vetted (you know, Weather Channel doesn't have a lot of different apps on the market, but I bet they are a valid company). Next, if someone is posting an app that they OBVIOUSLY don't have the rights to, don't fall for it. Nintendo isn't making any Android games, so you can expect Super Mario Bros and Pokemon games to be shady at best.

I'd rather have an open system and some common sense then to ask a company to please protect me from myself.

In the end, yes, there's a small degree of caveat emptor that owners should have, but geeks seem to think that this is some special province. How many people do all of their own plumbing? How many people do all of their own electrical work? Their own carpentry? How many people can actually disassemble their own carburetor if it's having issues? Heck, how many people here even change their own oil and filters?

It's really easy for a mechanic to laugh at how little people know about their cars, and for a plumber to laugh at how little people know about plumbing, but the fact of the matter is that most people could learn about it, but they'd rather be doing something else. If a mechanic rips someone off, do you blame the mechanic, or the victim? That's the problem, there's this massive disdain amongst geeks for those who don't know about technology, but there's massive disdain in lots of professions for the people who don't know about those things, because people like to assume that the skills they have are somehow more relevant or important. I love technology, but that doesn't mean that everyone else should. If you're not willing to spend your free time learning how to set your own engine timing, why should anyone else bother to know more than what they need to about technology?

How much do you know about the law? Honestly, could you right a brief on your own behalf if necessary? No is the answer for most people--a lawyer is going to know more. Sure, you should know a little bit, but if you had a bunch of lawyers in a forum together all talking about law as though every person in the country should know what they know, you'd call them pretentious pricks (and you'd be right). Yes, we should try to educate people on security, yes we should try to have some basic principles in mind. But you know what? Most people use their homes, their cars, their electricity, their water and the laws of their country on a daily basis. Why should they have to live up to some arbitrary level of knowledge to satisfy a bunch of self-righteous geeks, instead of being able to shingle their own roof, or fix their own car?

Unless you do everything yourself, you're in no position to judge others for needing help with what comes naturally to you because of your job/hobby.

I think the point is that if you don't understand cars (and my understanding there is quite limited), you have to trust your mechanic to a certain extent. Most people find a regular mechanic who they trust, and if they break down far from home and have to go to some unknown mechanic, they get a bit nervous that they might get ripped off. People should learn to have the same level of skepticism toward apps.

If some random guy on the street (or at a car modding convention) told me he was a mechanic and he had a great new widget for $20 that would give my car 25% more power and use 60% less gas, I'd be really skeptical, and I certainly wouldn't just hand him $20 and the keys and say "here you go, fix it up!". I suspect that most people would be skeptical in this situation, even if they knew less about cars (or thermodynamics) than I do. Maybe I'm wrong about this and lots of people would fall for it, but I think even non-mechanically inclined people would have some sense in this kind of situation.

Yet somehow most people don't seem bothered by the idea of installing an app from an untrusted developer on their phone or computer without doing any investigation of the developer at all. Download counts and user ratings are a start, but I'd at least check the developer's web site to get a sense of who they are and how much they interact with their customers before installing an app on my phone or computer. Phones and computers may not have quite the lethal failure capability of cars, but they do generally contain private information and access to financial transactions, so it seems like people need to develop at least some level of skepticism toward new apps, even if they're not geeks.

I certainly don't expect people to understand the technical details of the apps they use (just as I don't understand all the technical details of my car), but the social aspect of deciding who to trust to modify a car or computer is something that I think people can be expected to consider. It's never going to be perfect (people have been cheated by dishonest mechanics for a long time). Trusting an app because it came from Google's Play store is like trusting a mechanic because they're listed in the phone book.

Personally, I wouldn't mind having a heavily curated store, as long as there was an easy (and officially supported) way around it (that couldn't be blocked by the carriers either). Right now, Google's store is kind of like the phone book. It's easy to get listed there, but the stuff listed there isn't really vetted thoroughly, so you have to use your own judgement on who to trust.

Apple tries to take a sort of middle ground here, where they do a bit more vetting, but it's still relatively easy to get stuff listed. The problem with Apple's model is that there is no way (other than jailbreaking) to get around it, so an app that isn't in their store essentially doesn't exist.

I'd rather see an open environment, with a variety of smaller independent stores. Each store could curate stuff at the level it wanted, and developers could choose to sell directly from their web sites if they want to. Some stores might be heavily curated, and it would be a bit more work for developers to get their apps in those stores, but users would learn that those stores were very safe. Other stores might have policies like Google currently does where it's easy to get apps up for sale, but users need to exercise a bit more caution.

The biggest problem I see right now is that the choice of software store is largely determined by the OS (though android does allow some flexibility here, such as Amazon's store, and OUYA will have their own store), when it should be a separate decision. Your car manufacturer doesn't dictate which mechanics are trustworthy, and forbid you from going to the ones they don't approve of, but they can provide their own approved service centers as an option if they want to. App stores should be a similar matter.

I think you're lost. This is Ars Technica. If you want to use the "think of the children" argument, try foxnews.com or yahoo.

Oh, well it's good you're around to let us know who the true Scotsman Arsians are.

In the end, yes, there's a small degree of caveat emptor that owners should have, but geeks seem to think that this is some special province. How many people do all of their own plumbing? How many people do all of their own electrical work? Their own carpentry? How many people can actually disassemble their own carburetor if it's having issues? Heck, how many people here even change their own oil and filters?

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

They're not showing "blind" trust. They're showing trust in Google. It's called GOOGLEplay, after all. People assume, rightly or wrongly, that anything they download from the official marketplace should be safe. I'm not sure why a lot of people on this board find this so preposterous.

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

They're not showing "blind" trust. They're showing trust in Google. It's called GOOGLEplay, after all. People assume, rightly or wrongly, that anything they download from the official marketplace should be safe. I'm not sure why a lot of people on this board find this so preposterous.

Probably because we know better than to blindly trust strangers, especially faceless megacorps. Especially especially when they themselves tell you to be vigilant.

dlux wrote:

StarKruzr wrote:

The problem with having a completely curated application store is that it is a huge enabler of carrier and handset manufacturer fuckery.

So Apple totally enables the carriers to do what they want, while Google protects Android users from carrier meddling.

And here I thought it was the exact opposite. Silly me.

No, Apple's store is pretty much exclusively handset manufacturer fuckery. They do a good job of keeping the carrier fuckery out (mostly, anyway; just try and get a tethering app on your phone), at the expense of injecting their own brand of fuckery.

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

No, no, as you and others have pointed out, there's certainly a bit of general common sense you want people to have, but here's the thing: to most people, the "store" they're walking into is Google's. They don't know/care that it's not managed the same way as Apple's, the name they associate with it is Google. They trust Google, and for better or worse, they associate it with good things. You don't walk into a Walmart and know every brand, but if you buy something cheap, you still expect that if it's inside Walmart it's not going to kill you. Now obviously, that's not a good analogy to the reality of the Google app store, but I think it's a decent analogy of how people associate with it in their mind. To them, it's Google's store, and they're responsible for the products inside.

Now, is that fair? Probably not. But it's a real issue from a PR standpoint for Google, and something they should consider. No one bats an eyelash if someone downloads malware from some .ru address for Windows. That's par for the course. But if that same malware came from inside the Windows 8 store...then people would be pissed. It's all a matter of perception.

Clearly, I'm an advocate for tech knowledge. I have framed the XKCD comic about googling for answers for many of my relatives, to help them teach themselves. I advocate best practices for my family. But...there's a point at which we, the people who like tech, have to understand that we're no different than the car enthusiast who can't believe people don't know what kind of oil filter their car takes off the top of their head (funny story- we took a buddy of mine to teach him how to change his oil, picked out the filter for the V6 version of his car, and went to install it, only to find out that he'd been driving an inline 4-cylinder for 2 years thinking it was a V6-- he'd never so much as popped the hood).

So yeah, I understand your point, but at the same time, to get back to the central point of the article, having a Google-branded store puts the pressure on Google to deliver a malware-free experience. Now, obviously, they should still allow side-loading, but they're going to have to start doing some basic due diligence, I think, especially in a storefront where they take money. Otherwise, their name is going to still be on the store outside, and people are going to start questioning the store as a whole, not just the brands inside it.

"They're not showing "blind" trust. They're showing trust in Google. It's called GOOGLEplay, after all. People assume, rightly or wrongly, that anything they download from the official marketplace should be safe. I'm not sure why a lot of people on this board find this so preposterous."

-- Sorry but no, the people we're discussing, the utterly non-tech folks, do not comprehend that google "runs" the marketplace, or that google has any sort of responsibility for checking out the apps they download, or that apps would have any reason to need to be checked. At best they might understand that all the smart devices that aren't "iPhone" are somehow "android" but they only vaguely comprehend what that means, and to say that it's google's OS goes right past them, b/c they have no clue what google is to begin with. They're not putting any more trust in google on their phone than they do on their PC.

The fact that phones have succeeded in replacing the specific term "virus" with the generic term "malware" is a good thing, but from the standpoint of these users, that means there's nothing to be worried about.

Icon leads to apps.

Edit - Not to be overly mean to these people either, but there are still tons of people out there for whom computer technology is effectively magic, and thus presumed to be beyond their comprehension. These people are not even at the level of operating on the basic principles that this discussion presumes of "basic users"

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

They're not showing "blind" trust. They're showing trust in Google. It's called GOOGLEplay, after all. People assume, rightly or wrongly, that anything they download from the official marketplace should be safe. I'm not sure why a lot of people on this board find this so preposterous.

Probably because we know better than to blindly trust strangers, especially faceless megacorps. Especially especially when they themselves tell you to be vigilant.

I take it you don't trust Walmart/Target either? So you double check all products from toys to food to electronics before taking them home for potential dangers?

Google is hardly a stranger. It's a brand and company that potentially is involved in your everyday life from email, to phone calls, to your appointment calendar, to your TV. It's the first place a lot of people go to when using the internet. Not sure why geeks always give Google a pass on this and blame the consumer. People assume that an 'official' store will have certain levels of quality control. It's not an unreasonable assumption. Android is built so that you can have multiple stores. The official one, which all the non geeks use, should be safe.

00Goat wrote:

Sorry but no, the people we're discussing, the utterly non-tech folks, do not comprehend that google "runs" the marketplace, or that google has any sort of responsibility for checking out the apps they download, or that apps would have any reason to need to be checked.

Err.. It's called GooglePlay. Why wouldn't you think it's run by Google? That's why they changed the name from Android Marketplace. They WANT to be associated with it.

Fair enough, but I don't expect people to show blind trust either, and the lack of common sense that people show with regards to personal safety on the internet is, IMHO, stunning.

Also, yes, I overreacted, but the use and abuse of the "think of the children" argument really pisses me off.

They're not showing "blind" trust. They're showing trust in Google. It's called GOOGLEplay, after all. People assume, rightly or wrongly, that anything they download from the official marketplace should be safe. I'm not sure why a lot of people on this board find this so preposterous.

Probably because we know better than to blindly trust strangers, especially faceless megacorps. Especially especially when they themselves tell you to be vigilant.

I take it you don't trust Walmart/Target either? So you double check all products from toys to food to electronics before taking them home for potential dangers?

You're goddamn right I do. If I buy a box of cookies from Target and the seal's been torn open, I don't eat it. I take it back for a refund, or I throw it out. Similarly, if I see an app on Google Play requesting permissions it has no reason to request, I don't download it. It's not hard.

"You're goddamn right I do. If I buy a box of cookies from Target and the seal's been torn open, I don't eat it. I take it back for a refund, or I throw it out. Similarly, if I see an app on Google Play requesting permissions it has no reason to request, I don't download it. It's not hard."

If you go to Target and get a box of cookies a few times with seal broken would it not put you off going back to that shop, it would put me off for sure.

"You're goddamn right I do. If I buy a box of cookies from Target and the seal's been torn open, I don't eat it. I take it back for a refund, or I throw it out. Similarly, if I see an app on Google Play requesting permissions it has no reason to request, I don't download it. It's not hard."

If you go to Target and get a box of cookies a few times with seal broken would it not put you off going back to that shop, it would put me off for sure.

Perhaps, if I get a large proportion of unsealed vs. sealed cookies that would make me think they aren't being vigilant in policing that sort of thing. And I think Google is being vigilant. By far, the vast majority of apps I've even looked at on Play seem completely safe, and they are quick to remove stuff like this when they're made aware of it.

You're goddamn right I do. If I buy a box of cookies from Target and the seal's been torn open, I don't eat it. I take it back for a refund, or I throw it out. Similarly, if I see an app on Google Play requesting permissions it has no reason to request, I don't download it. It's not hard.

So that's a no. You don't double check that stuff before you buy and take it home.

heartburnkid wrote:

Perhaps, if I get a large proportion of unsealed vs. sealed cookies that would make me think they aren't being vigilant in policing that sort of thing. And I think Google is being vigilant. By far, the vast majority of apps I've even looked at on Play seem completely safe, and they are quick to remove stuff like this when they're made aware of it.

Google's only gotten vigilant in the last year or so with a more proactive approach rather than retroactive. Google's getting better, but Play should be as safe as Apple's, and it's not. You hear things occassionally from the other OS app markets, but it's not to the degree of Google's.

And just because the vast majority of apps you've "looked at" on Play seem completely safe, it doesn't mean that they are. An app can have a total legitimate reason to look at your contacts, to access your SDcard, or to connect to the internet. But once you've given them the permission, it doesn't mean they can't use them for other reasons as well (ie that whole Linked In fiasco).

You're goddamn right I do. If I buy a box of cookies from Target and the seal's been torn open, I don't eat it. I take it back for a refund, or I throw it out. Similarly, if I see an app on Google Play requesting permissions it has no reason to request, I don't download it. It's not hard.

So that's a no. You don't double check that stuff before you buy and take it home.

So that's a "I understand what you're saying, but I'd rather argue the semantics of my metaphor than do anything constructive."

Quote:

heartburnkid wrote:

Perhaps, if I get a large proportion of unsealed vs. sealed cookies that would make me think they aren't being vigilant in policing that sort of thing. And I think Google is being vigilant. By far, the vast majority of apps I've even looked at on Play seem completely safe, and they are quick to remove stuff like this when they're made aware of it.

Google's only gotten vigilant in the last year or so with a more proactive approach rather than retroactive. Google's getting better, but Play should be as safe as Apple's, and it's not. You hear things occassionally from the other OS app markets, but it's not to the degree of Google's.

I don't want a market like Apple's. Apple's app store takes forever for things to get approved, and too many apps get denied for trivial reasons or for reasons having more to do with Apple's or the carrier's business model than security. Plus, there's the opaqueness of the whole thing.

Apple's store is safer than Google's, sure. It's also safer to stay inside the house all day, but I'd rather get out and go for a jog, and even cross the occasional street. By and large, Google Play is safe as long as the user exercises their own due diligence, and Google makes that pretty damn easy to do. That so many users choose not to is their problem.

I take it you don't trust Walmart/Target either? So you double check all products from toys to food to electronics before taking them home for potential dangers? <snip>Err.. It's called GooglePlay. Why wouldn't you think it's run by Google? That's why they changed the name from Android Marketplace. They WANT to be associated with it.

Since you started with this metaphor...

First of all, when I go to Walmart, the majority of things I buy there aren't branded as "Walmart" products. Some products are Walmart-branded, others are not. This is exactly like Google Play. The vast majority of products in the market are made by third-parties, but some are Google-branded. In other words, the fact that it's called the Google Play Store is irrelevant, as the products carried therein are not created by Google, just like Walmart carries mostly products made by someone else.

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

So, how can you possibly argue that it's Google's responsibility to make sure all the products sold in the Google Play Market are safe for you to download? Just because Apple pre-screens everything, doesn't mean that's how it needs to be done by everyone. If the consumer needs hand-holding to keep them safe from their own bad decisions, they have three options: 1) Don't download any apps, 2) Research an app before blindly downloading it, 3) Get an iPhone.

Other than that, Google has done everything that can be asked of them without unduly restricting all the perfectly safe app-developers (the vast majority), which was their priority from day one.

Now if Google's own GMail or Maps apps were installing trojans on my phone I'd say you had a point -- just as if Walmart's house-brand cereal gave everyone explosive diarrhea -- but that's not what's happening here.

Either your metaphor is terrible, or you didn't think it through very well.

So that's a "I understand what you're saying, but I'd rather argue the semantics of my metaphor than do anything constructive."

I don't want a market like Apple's. Apple's app store takes forever for things to get approved, and too many apps get denied for trivial reasons or for reasons having more to do with Apple's or the carrier's business model than security. Plus, there's the opaqueness of the whole thing.

Nope just completely disagree with you, and pointing out you actually don't do a serious check of every single item before you buy and take it home. Because you would've noticed that the box had already been opened. Or if it's a quality control issue on the part of the manufacturer, you would've known it because you would've done research on the company before you buy there products.

All of which is unreasonable, of course. But so is saying an average consumer should be able to 1) understand Google's archaic permissions, 2) evaluate if the app's requests are reasonable, 3) Determining if the app is legit by a) downloads (apparently 100k isn't enough) and b) by developer (tough since lots of great apps are by unknown developers, and there are known developers who do bad apps -- ie LinkedIn), and 4) then once downloaded, evaluating if the app is appropriately using the permissions which seemed reasonable at the start. Frankly, Google's the only one with the capability to do all that.

albeec13 wrote:

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

I'm not talking individual items on a store shelf. I'm talking about product lines. Stores can't control if someone injects poison into a bag of chips -- although I'll bet security beefs up considerably after it happens once, let alone multiple times. Stores can decide to not stock a hairdryer that might explode do to bad wiring.

There's a reason why you don't see a bunch of lead painted toys at Walmart nor (for long) opened boxes of Asparin on store shelves. Sure, some things rarely get through, but recalls/poisonings hurt the store brand. There are documentaries on Walmart and Costco out there. It's really amazing how much effort they go through to screen every product they decide to stock.

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

Okay, if you're going to use the metaphor I brought in, please use it responsibly. The point isn't about people poisoning a single unit of an item-- or, in the realm of Google, this isn't about a single download being corrupted. The point is that non-tech people assume that because it's sold by Google (ie, they bought a Google Phone, they check out with their Google account, Google makes money off of it...that Google is responsible. You'd better bet your butt that Walmart controls what products go into their store. Heck, they're darn near an oligopoly in some cases. So if they started selling a brand of cookie that made you sick (ie, the whole brand is tainted), you bet your ass people would hold the seller responsible.

It's NOT a perfect metaphor for how the Google store actually works (since Google doesn't have the same sign-off procedures-- but the metaphor was designed to show how non-tech people think, and why it might be important to have a store where things are vetted before being sold. So both of you two arguing are misusing the metaphor. It's not about individual units being poisoned (I mean...really?), it's about people trusting the BRANDS in Walmart-- but it's also just supposed to be indicative of how people think, not about how the actual store operate. There's obvious distinctions, so I never meant it to be a 1:1 comparison.

Quote:

So, how can you possibly argue that it's Google's responsibility to make sure all the products sold in the Google Play Market are safe for you to download? Just because Apple pre-screens everything, doesn't mean that's how it needs to be done by everyone. If the consumer needs hand-holding to keep them safe from their own bad decisions, they have three options: 1) Don't download any apps, 2) Research an app before blindly downloading it, 3) Get an iPhone.

I, for one, am saying it's their responsibility to make their product attractive to developers. If their store ceases to be attractive to users because they no longer trust it, then they aren't doing their job for the consumer or the developer. Apple's methods may be severe, but often times, it's better for the masses. That doesn't mean what you like isn't also good, but this whole discussion started when people were saying how users need to be more responsible. My point was, quite simply, that most people prefer to let experts handle things they don't understand, rather than learn things they don't care about. So the better solution, from an OS standpoint, is not to stand back and let users get taken advantage of, but to protect them from themselves.

Power users may not like it, but we're a fraction of the market. So if Google doesn't react well to this phenomenon, it'll be a problem for them.

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

I'm not talking individual items on a store shelf. I'm talking about product lines. Stores can't control if someone injects poison into a bag of chips -- although I'll bet security beefs up considerably after it happens once, let alone multiple times. Stores can decide to not stock a hairdryer that might explode do to bad wiring.

Re-read what I wrote. I said "some asshat at Frito Lay" not "some guy walks into Walmart and taints a bag of potato chips." The implication was a manufacturer is putting out a bad product and Google/Walmart has already "stocked" it. That's like a single software company putting out a malicious application. In other words, security has nothing to do with it. Walmart doesn't pre-screen every item they put on their shelves, and even a product that was once safe can become malicious in the future. Someone can write a benign app and inject malicious code in an update in the future.

dayznfuz wrote:

There's a reason why you don't see a bunch of lead painted toys at Walmart nor (for long) opened boxes of Asparin on store shelves. Sure, some things rarely get through, but recalls/poisonings hurt the store brand. There are documentaries on Walmart and Costco out there. It's really amazing how much effort they go through to screen every product they decide to stock.

Right, because once Walmart learns a lead-tainted toy exists, they remove it and stop carrying it. Google removes a malicious app when they find out it's malicious. Walmart doesn't test every toy they stock beforehand for lead. If there's a documentary showing they do, I'd love to see it, and I'll stand corrected, but that's still beside the point.

Android's app store didn't want to go the heavy-handed route, has less restrictions on what apps can do, and still does a good job of removing applications when they turn out to be malicious. As the article states, they do use scanning software now to find malicious apps, but clearly need to do some tweaking to catch apps like the one in question. Still, accidents happen, and things squeak through to the consumer.

Apple has a different stance and wants to scan every app before placing it in their store, and I'd argue this is more to make sure app policies (such as not having non-Apple content downloads, and bypassing Apple's cut of profits) are followed, than looking purely for malicious apps.

I would also make the case that this is less of a problem on iOS than Android, not because of Apple's app certification process, but because of the fact that iOS development has a much larger up-front cost (must have a mac computer, objective-c knowledge, and a developer account that costs money just to submit apps) than Android (java-based, free SDK, free dev account), so criminals are most likely to take the free and easy route at getting their malicious code out there. Especially now, with Android having more market share than iOS devices, it's a win-win situation for someone trying to make a quick buck illegally.

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

Okay, if you're going to use the metaphor I brought in, please use it responsibly. The point isn't about people poisoning a single unit of an item-- or, in the realm of Google, this isn't about a single download being corrupted. The point is that non-tech people assume that because it's sold by Google (ie, they bought a Google Phone, they check out with their Google account, Google makes money off of it...that Google is responsible. You'd better bet your butt that Walmart controls what products go into their store. Heck, they're darn near an oligopoly in some cases. So if they started selling a brand of cookie that made you sick (ie, the whole brand is tainted), you bet your ass people would hold the seller responsible.

Read my previous response to "dayznfuz" as it covers most of what I wanted to say to you as well. once again, I wasn't talking about a single tainted item, I was referring to a tainted product line (i.e. a malicious app). No one knows it's tainted until someone finds out the hard way, or if someone pre-screens every item as it enters the market, including new shipments (new versions) of items that are already stocked.

The problem with the store metaphor is an app developer is largely anonymous on the Play Store, whereas a product sold in Walmart that turns out bad will cause a backlash against the company that made it. Walmart won't be held responsible directly, and they can only be expected to remove the product to protect consumers when they become aware of the situation. Yes, they can do things to prevent situations like this by only stocking items from vetted companies, but even good companies put out bad products once in a while.

Similarly, Google is employing scanning technology to stop most malicious apps, but some get through, and when they are made aware of it, they pull them. What's the problem here? When in history has everything sold in a store been guaranteed to be perfect and wholesome, especially in a place that stocks hundreds of thousands to millions of products?

As I said in my previous post, Google is more susceptible to this problem than iOS because it's an easier target for criminals to get into. Read my last post for details, so I don't have to reproduce them here.

Do you mean to tell me that it is Walmart's responsibility to go through every single product they sell and make sure it's safe for the consumer? If some assclown at Frito-Lay puts syringes in the potato chip bags and I go buy one and get stabbed, is it Walmart's fault? Hell no, it's not. The least I can expect for Walmart to do is remove those items from their shelves, let consumers know they found them, and nothing more. This is exactly the same as what Google does when someone finds a malicious piece of software in the Google Play Store.

I'm not talking individual items on a store shelf. I'm talking about product lines. Stores can't control if someone injects poison into a bag of chips -- although I'll bet security beefs up considerably after it happens once, let alone multiple times. Stores can decide to not stock a hairdryer that might explode do to bad wiring.

Re-read what I wrote. I said "some asshat at Frito Lay" not "some guy walks into Walmart and taints a bag of potato chips." The implication was a manufacturer is putting out a bad product and Google/Walmart has already "stocked" it. That's like a single software company putting out a malicious application. In other words, security has nothing to do with it. Walmart doesn't pre-screen every item they put on their shelves, and even a product that was once safe can become malicious in the future. Someone can write a benign app and inject malicious code in an update in the future.

dayznfuz wrote:

There's a reason why you don't see a bunch of lead painted toys at Walmart nor (for long) opened boxes of Asparin on store shelves. Sure, some things rarely get through, but recalls/poisonings hurt the store brand. There are documentaries on Walmart and Costco out there. It's really amazing how much effort they go through to screen every product they decide to stock.

Right, because once Walmart learns a lead-tainted toy exists, they remove it and stop carrying it. Google removes a malicious app when they find out it's malicious. Walmart doesn't test every toy they stock beforehand for lead. If there's a documentary showing they do, I'd love to see it, and I'll stand corrected, but that's still beside the point.

I'm not arguing that Google can't pre-screen every app, just that they aren't obligated to. Consumers have some responsibility to do their due diligence. Apple has a different stance and wants to scan every app before placing it in their store, and I'd argue this is more to make sure app policies (such as not having non-Apple content downloads, and bypassing Apple's cut of profits) are followed, than looking purely for malicious apps.

Android's app store didn't want to go that heavy-handed route, and still does a good job of removing applications when they turn out to be malicious. And, as the article states, they do use scanning software now to find malicious apps, but clearly need to do some tweaking to catch apps like the one in question. Accidents happen, and things squeak through to the consumer.

I would argue that this is less of a problem on iOS than Android, not because of Apple's app certification process, but because of the fact that iOS development has a much larger up-front cost (must have a mac computer, objective-c knowledge, and a developer account that costs money just to submit apps) than Android (java-base, free SDK, free dev account), so criminals are most likely to take the free and easy route at getting their malicious code out there.

Why would you think Google didn't want to go the 'heavy handed ' route, is it because they believe in the free, anything goes principle or is it that they don't want to be burdened with the task of pre screening apps?My view is that they want the apps that Apple rejected along with the 'good' apps. To build up the number of apps available and build a head of steam. The problem with this approach is they do attract the scum of the development world, as well as the best and will become a dumping ground for malicious apps. Does google really want to be known as a shop full of malicious apps? They are already well on the way there.

Why would you think Google didn't want to go the 'heavy handed ' route, is it because they believe in the free, anything goes principle or is it that they don't want to be burdened with the task of pre screening apps?My view is that they want the apps that Apple rejected along with the 'good' apps. To build up the number of apps available and build a head of steam.

I won't argue much with you there. In order to catch up to iOS when Android first came out, it was beneficial for Google to allow easy app submissions from developers to quickly build up their platform's attractiveness (similar to their misrepresentation of Google+ subscriber numbers, by avoiding talking about actual user engagement and inflating user numbers by tying GMail/other Google account creation to G+ account creation.)

However, a big part of Android's attractiveness as a platform was the virtual absence of restrictions on what was allowed for developers to do (as compared to Apple's heavy restrictions on apps that compete with "core" iOS apps, being able to change default apps, etc.) Apple's ability to enforce those rules is the main impetus for their control of app submissions, which were not necessary on Android. The side-effect (or main reason, depending who you ask) of this is that Apple also could catch malware more easily, since they're scanning apps for unsanctioned behavior anyway.

Now that they do have a larger developer following and malicious apps are becoming more prevalent, Google has taken steps (such as scanning tools) to catch malware, and continues to improve on this.

Lwio wrote:

The problem with this approach is they do attract the scum of the development world, as well as the best and will become a dumping ground for malicious apps. Does google really want to be known as a shop full of malicious apps? They are already well on the way there.

As I mentioned in a previous post, there are many reasons why Android is targeted, including but not limited to: less stringent screening process than iOS, cheaper overall development costs, OS market share, ease of development.

Calling Google Play a "shop full of malicious apps" is a little over-the-top, though. The vast majority of apps are not malware, and anyone who does a little simple investigation within the Play Store (reading reviews, checking star ratings, and checking developer's other apps/download statics, all of which is easily available from the download screen) is not affected by malicious apps. All it takes is a little common sense, which, unfortunately, many people seem to lose when it comes to the internet and computers.

That's why people love apple's security - it does all the work for them, no exceptions either with a "install from 3rd party sources." That part I cannot live with, and no, I don't feel like I should have to jail break.

"Bah-ah-ah-ah-ah-ah!," goes the sheople...

I don't get this kind of crap. Android users always "defend" themselves by saying, "Yeah! But users are idiots!" when Android is shown to be a cesspool of malware. But then they turn around and say of Apple, "Yeah! But Apple treats users like idiots!"

It sounds like, in your view, Apple treats users exactly how they should be treated. So which is it, boyo? Are they idiots or not?